Embedding Security Behaviour Change

Security behaviour change requires a clear vision as well as a coordinated strategy to ensure that interventions are consistent, practical and meaningful.

Before embarking on a change programme, however big or small, it is critical that an organisation is clear on the following:

• The objectives of the change (i.e. the vision or strategy)
• The size and scale of the change (i.e. the gap between where the organisation is now and where it wants to be)
• The actions to implement the change (i.e. the interventions)
• The organisation is ready for the change (i.e. it has the necessary time, resources and buy-in)
• How to communicate the change to the target audience and other key stakeholders (i.e. the communications strategy)
• How to review and evaluate the impact of the change (i.e. the measures of success and key performance indicators)

There is no one right way to deliver change. A bespoke approach, suited to the particular needs and requirements of your organisation will ultimately work best.  

CPNI has developed the 5 E’s approach to organisational behaviour change. This provides some overarching principles that organisations are advised to follow when developing a security change programme, drawing on latest behaviour change theory.

• CPNI's 5Es model to organisational behaviour change